Complex security mechanism is unsecure

John F Haugh II jfh at rpp386.cactus.org
Thu Dec 13 00:46:05 AEST 1990 

In article <6874 at titcce.cc.titech.ac.jp>, mohta at necom830.cc.titech.ac.jp (Masataka Ohta) writes:
> In the latter case, you must be careful that no unauthorized person can
> have uucp nor root priviledge. If you have an executable owned by uucp
> in root's command serach path (like /usr/bin/tip), those who have uucp
> priviledge can easily set a trojan horse trap.
 
sure, and any program owned by "bin" which is in root's command search
path is also likely to be a trojan horse.  most of the programs in /bin
have that property.  this is why "bin" shouldn't have a password unless
you are willing to have the owners of "bin"'s password become "root"
someday.  and the same applies, of course, to "uucp" and "sys" and so on.

> >Unfortunately, if you have an application that
> >wants to change the ownership to the user, such as cu, you must now
> >make cu set-UID to "root".
> 
> But it is more secure.
 
not true - read on.

> So, don't make the security mechanism complex. The simpler, the more secure.

this part is true - the number of things which you must protect against
with "root" being the effective user ID is far greater than the number
of failure modes with a program set-UID to "uucp".  "uucp" has no
extra privileges, whereas "root" has all of them.

consider for just a moment the entire catagory of failures along the
lines of "illegal file access".  "root" does not require access permission
to change a file, but "uucp" does.  there still remains many other system
calls which have special behavior with euid == 0.  none of those apply
to euid == "uucp".  finally, as if we were adding insult to injury, the
common implementation of setuid() on System V does not include the ability
to toggle between euid == 0 and euid == ruid - the first visit from 0 to
ruid is permanent, which means that you either run as euid == 0 all day
long, or fork off other processes to change their id's and exit.  yet, if
euid != 0 and ruid != 0, you are free to alternate between euid and ruid
repeatedly (actually, between ruid and the saved set user ID).

so, the short form answer is that in general set-UID to root is far less
secure that set-UID to non-root, and this is borne out in various security
related documents and criteria.  you should =always= execute with the
least amount of privilege required to perform the task at hand.  set-UID
to root is a direct violation of this concept of least privilege.
-- 
John F. Haugh II                             UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 832-8832                           Domain: jfh at rpp386.cactus.org

More information about the Comp.unix.internals mailing list